Microsoft Security Advisory (2524375)

Discussion in 'other security issues & news' started by ronjor, Mar 23, 2011.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,027
    Location:
    Texas
    https://www.microsoft.com/technet/security/advisory/2524375.mspx
     
  2. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    "browsers which have enabled the Online Certificate Status Protocol (OCSP) will interactively validate these certificates and block them from being used."

    And how do we do that?
     
  3. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,410
    Location:
    U.S.A.
    Hugger, from the link that ronjor provided (blue highlight mine) under Frequently Asked Questions:
     
  4. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,789
    Is there a way to scan for bad certificates if either in IE or Opera one may have ignored the browser's warning? Where are those certificates in XP?
     
  5. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Mozilla released Firefox 3.6.16 and 3.5.18 to fix it. Not sure about v4.
     
  6. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    That fixed only the current fraudulent Comodo certificates, not the lack of OCSP hard fail. For manual override, see

    Code:
    http://kb.mozillazine.org/About:config_entries#Security.
     
  7. elapsed

    elapsed Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    7,076
    Grabbed it off Windows Update but good to know I was already safe thanks to OCSP in IE. :thumb:
     
  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,867
    Location:
    Outer space
    Ok, I thought that Firefox would show a certificate warning, but users could ignore it so they blacklisted it, but it seems it wouldn't have given any warning it all.
    So what has to be done exactly? Setting Firefox to fail the validation when OCSP server cannot be contacted sets security.OCSP.require to true, but that entry is not mentioned at all in your link.
    If I change the setting from validating if OCSP server is specified to validate all with following OCSP server, which OCSP server would be best to chose? It seems to me that if I chose some else than Comodo, they could be compromised as well and then the same problem would arise, or is this not correct?
    The default specified server is https://rca.e-szigno.hu/ocsp, which sounds a bit dodgy to me.
     
  9. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Not my fault they don't update their documentation. It can be done via GUI (rather hidden), see the other thread.

    https://www.wilderssecurity.com/showpost.php?p=1847038&postcount=9
     
  10. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
  11. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,941
    Location:
    USA
    I'm one of the minority then. :)
    Thank you for the heads up, Ron. :thumb:
     
  12. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    Thanks ronjor for advisory info :)
     
  13. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,027
    Location:
    Texas
    You are very welcome. Thanks. :)
     
  14. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,027
    Location:
    Texas
  15. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,027
    Location:
    Texas
  16. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,027
    Location:
    Texas
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.